xref: /rk3399_ARM-atf/docs/plat/warp7.rst (revision c948f77136c42a92d0bb660543a3600c36dcf7f1) 
1Trusted Firmware-A for i.MX7 WaRP7
2==================================
3
4The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3.
5The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality.
6This functionality provides a mechanism for establishing a root-of-trust from
7the reset vector to the command-line in user-space.
8
9Boot Flow
10=========
11
12BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux
13
14In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is
15expected and required
16
17# Build Instructions
18
19We need to use a file generated by u-boot in order to generate a .imx image the
20BootROM will boot. It is therefore _required_ to build u-boot before TF-A and
21furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory
22to generate the TF-A .imx image.
23
24## U-Boot:
25
26https://git.linaro.org/landing-teams/working/mbl/u-boot.git
27
28.. code:: shell
29
30    git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot
31    make warp7_bl33_defconfig;
32    make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf-
33
34## TF-A:
35
36https://github.com/ARM-software/arm-trusted-firmware.git
37
38.. code:: shell
39
40    make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 ARM_CORTEX_A7=yes AARCH32_SP=optee all
41    /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx
42
43## OP-TEE:
44
45https://github.com/OP-TEE/optee_os.git
46
47.. code:: shell
48
49    make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000
50
51
52## FIP:
53
54.. code:: shell
55
56    mkdir fiptool_images
57    cp /path/to/uboot/u-boot.bin fiptool_images
58    cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images
59    cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images
60    cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images
61    cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images
62    tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin --tos-fw-extra1 fiptool_images/tee-pager_v2.bin --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin --nt-fw fiptool_images/u-boot.bin --hw-config fiptool_images/imx7s-warp.dtb warp7.fip
63
64
65# Deploy Images
66
67
68First place the WaRP7 into UMS mode in u-boot this should produce an entry in
69/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0
70
71.. code:: shell
72
73    => ums 0 mmc 0
74
75Next flash bl2.imx and warp7.fip
76
77bl2.imx is flashed @ 1024 bytes
78warp7.fip is flash @ 1048576 bytes
79
80.. code:: shell
81
82    sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc
83    # Offset is 1MB 1048576 => 1048576 / 512 = 2048
84    sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc
85
86Remember to umount the USB device pefore proceeding
87
88.. code:: shell
89
90    sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0*
91
92
93# Signing BL2
94
95A further step is to sign BL2.
96
97The image_sign.sh and bl2_sign.csf files alluded to blow are available here.
98
99https://github.com/bryanodonoghue/atf-code-signing
100
101It is suggested you use this script plus the example CSF file in order to avoid
102hard-coding data into your CSF files.
103
104Download both "image_sign.sh" and "bl2_sign.csf" to your
105arm-trusted-firmware top-level directory.
106
107.. code:: shell
108
109    #!/bin/bash
110    SIGN=image_sign.sh
111    TEMP=`pwd`/temp
112    BL2_CSF=bl2_sign.csf
113    BL2_IMX=bl2.bin.imx
114    CST_PATH=/path/to/cst-2.3.2
115    CST_BIN=${CST_PATH}/linux64/cst
116
117    #Remove temp
118    rm -rf ${TEMP}
119    mkdir ${TEMP}
120
121    # Generate IMX header
122    /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log
123
124    # Copy required items to $TEMP
125    cp build/warp7/debug/bl2.bin.imx ${TEMP}
126    cp ${CST_PATH}/keys/* ${TEMP}
127    cp ${CST_PATH}/crts/* ${TEMP}
128    cp ${BL2_CSF} ${TEMP}
129
130    # Generate signed BL2 image
131    ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN}
132
133    # Copy signed BL2 to top-level directory
134    cp ${TEMP}/${BL2_IMX}-signed .
135    cp ${BL2_RECOVER_CSF} ${TEMP}
136
137
138The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy
139Images section above, once done.
140
141Suggested flow for verifying.
142
1431. Followed all previous steps above and verify a non-secure ATF boot
1442. Down the NXP Code Singing Tool
1453. Generate keys
1464. Program the fuses on your board
1475. Replace bl2.bin.imx with bl2.bin.imx-signed
1486. Verify inside u-boot that "hab_status" shows no events
1497. Subsequently close your board.
150
151If you have HAB events @ step 6 - do not lock your board.
152
153To get a good over-view of generating keys and programming the fuses on the
154board read "High Assurance Boot for Dummies" by Boundary Devices.
155
156https://boundarydevices.com/high-assurance-boot-hab-dummies/
157